A recently released report from Coalfire and Omdia found that for the majority of organizations, growing compliance obligations are now consuming 40 percent or more of IT security budgets and threaten to become an unsustainable cost.
The report reveals key clues as to why compliance burdens are growing so dramatically. For one, many of the cyber standards are changing dramatically from point-in-time reviews to continuous, outcome-based requirements.
Second, there’s an extreme skill shortage within the cybersecurity talent pool, further straining organizations’ ability to keep up with compliance requirements.
Last but not least, budgets for compliance tend to stay stagnant even as compliance burdens and costs rise exponentially.
The survey findings presented in this report were collected prior to when COVID-19 became a global pandemic. As COVID-19 has triggered an economic recession that is unprecedented in scale, organizations have slashed their compliance budgets. In industries hit hard by COVID-19, such as travel, retail, and hospitality, compliance personnel — employees in fraud and investigation teams — have been furloughed.
And this is all happening at a time when certain threats have become more dangerous as a result of the upheavals created by COVID-19.
COVID-19 Has Complicated the Risk Landscape
Cyberattacks were already a major stressor for security leaders before the pandemic. Analysis by cyber experts revealed that organizations today are highly likely to become victims of data breaches due to vulnerabilities in the third-party apps they use.
The Ponemon Institute found that in the past two years, 53% of organizations have experienced at least one data breach caused by a third party. And a data breach costs an average of $7.5 million to remediate.
Unfortunately, as the pandemic has pushed the above-ground economy into a major recession, the cybercrime economy appears to be charging ahead at full steam. The pandemic represents a once-in-lifetime opportunity for cybercriminals. With everyone suddenly having to work from home with lower security settings, and everyone using new types of software such as video conferencing apps at scale, cyber attackers know they now have a much wider target audience to attack.
Additionally, when employees take on additional work or face pressure to meet goals during financially difficult circumstances, risks of misappropriated assets or fudged financials typically increase. Anti-corruption organizations have warned that the economic upheaval caused by the pandemic could create an environment that’s ripe for bribery. Fraud risk is significant.
Privacy risks have also been magnified during this pandemic. To keep communities safe, regulators are requiring employers to collect employees’ personal health information and share certain information with health authorities to contain the spread of the novel coronavirus. For instance, OSHA recently revised its guidance to require employers to conduct investigations to determine whether employees who have contracted COVID-19 did so in the workplace.
Meanwhile, employers must be careful about how they’re storing this type of sensitive information. There are state laws that legally require employers to keep the health information of employees secure and confidential. If this information is disclosed to unauthorized parties, they run the risk of breaking certain states’ cybersecurity laws.
Keeping employee personally identifiable information (PII) secure and confidential is difficult for employers that don’t have strong expertise in IT governance and data protection.
Further, we’re living through a time when few organizations are willing to take on additional third-party risks. Now is a bad time to give your customers reasons to worry about your security posture. In fact, the more quickly and systemically you can provide assurance that your systems are reliable, secure, and trustworthy, the better your customers will feel about you as a third-party vendor. Thus, staying on top of infosec audits and security questionnaires should remain a priority.
More than ever, organizations today need to keep their compliance procedures functioning properly; they need strong monitoring capabilities to make sure they can detect potential mistakes or misbehaviors and fix them before it’s too late. And equally importantly, each organization needs to ensure that it can meet security and compliance needs at the same time.
The Tension Between Security and Compliance
Meeting both security and compliance needs at the same time is a difficult thing to achieve for many organizations. For one, many businesses don’t have a dedicated compliance function. Rather, the security team does the compliance work; they handle endless requests for audits, document internal controls, make changes to internal controls, and so forth.
The work becomes a drag on the business because as audit requests go up, the risks of error go up as well. Plus, the security team has a day job of protecting the organization and its assets from hackers and malware.
Second, the tools organizations have been using to manage compliance workloads – usually a combination of spreadsheets, cloud file storage systems, and email – are insufficient for their ever-growing compliance needs.
There’s a better way to handle security and compliance.
Without intentional actions, these challenges will become more daunting over time. For one, clients and sales prospects will want to see that your company’s security risks are under control so that they can entrust their data with your business. So the requests for assessments and documentation will keep on coming.
Meanwhile, the new generation of privacy and data security regulations rules are here to stay; these rules impose formidable duties of care for the data a company has in its possession. And they hold the company responsible for third parties working with that data on the company’s behalf.
That means compliance with these regulations is about continuous monitoring and protection of data, rather than point-of-time audits. It’s also about vendor risk management, and your company’s ability to demonstrate competency at that task.
At this time, forward-looking organizations are turning to compliance operations software to ensure they can fulfill their security and compliance needs at the same time. Tools that can automate repetitive tasks have proven to be useful in saving a security team time and money, and in helping organizations become more attractive to their business partners.
What Is Compliance Automation?
Compliance automation is about using technology to eliminate as much manual, administrative work as possible from compliance activities – so an organization scales its activities and resources to meet the demands of an increasing compliance scope. Unfortunately, many organizations’ compliance teams and control operators spend far too much time on repetitive, administrative work.
For instance, we see many compliance managers still sending out emails and calendar reminders manually to nudge employees to submit evidence needed for audits. Then, they manually file away these documents in SharePoint or G-Drive until the scheduled audit.
Once the formal audit process kicks off, compliance managers have to pull files from their internal systems and upload them into yet another portal. Further, because many organizations go through multiple security audits each year (many with overlapping requirements) on a rolling audit schedule, it creates an environment where business and IT teams feel like they spend more time on supporting audits than typical business operations.
Automation Can Reduce Compliance Costs and Shrink Timelines
A recent study of IT security leaders commissioned by CoalFire found that the shift towards automation reduces assessment costs and timelines. 62% of surveyed companies said that automating evidence collection reduces their overall compliance impact.
Here at Hyperproof, we’ve seen similar findings from our own customer base. For instance, when Clarifire, a workflow application software company implemented Hyperproof to manage all evidence centrally for its three separate security audits and all of their internal controls with Hyperproof’s built-in control health-tracking features, the compliance team reduced its audit preparation time by 50%.
Keys to Create a Compliance Automation Checklist
First, Diagnose the Security Problem
Overburdened CISOs might reasonably scream and ask, “Where is all this regulation coming from?”
It comes from a new generation of privacy and data security rules proliferating around the world. These rules impose formidable duties of care for the data a company has in its possession, and they hold the company responsible for third parties working with that data on the company’s behalf.
That means compliance with these regulations is about continuous monitoring and protection of data, rather than point-of-time audits. It’s also about vendor risk management, and your company’s ability to demonstrate competency at that task.
Hence the proliferation of security audits — which now consume far more of a security team’s time and resources than appropriate. For example, one recent analysis from Coalfire found that a majority of companies now spend at least 40 percent of their security budgets on compliance. Nearly half spend 20,000 man-hours a year on compliance, and 58 percent say compliance is a significant barrier to entering new markets.
Those numbers are terrible, but they do make sense. A multinational business might find itself saddled with a half-dozen compliance frameworks: data privacy regimes in multiple countries, data security regulations to bid on government contracts, and Sarbanes-Oxley frameworks for internal control over financial reporting. Those frameworks are similar, but not identical. This means your assessments, if not done carefully, can be duplicative and inconsistent.
Meanwhile, clients and sales prospects still want to see that your company’s security risks are under control so that they can entrust their data with your business. So the requests for assessments and documentation will keep on coming.
Nobody can fault customers for making those demands. From their perspective, it’s a reasonable request; you probably ask the same of your vendors. But this predicament does demonstrate that compliance and security are two dimensions of something in very high demand: clear, documentable, vendor risk management.
That’s the work that a company has to get right, both to save the security team time and money and to make the company more attractive to business partners.
Second, Use Strategic Compliance Solutions
Let’s restate that tension between security and compliance again, for the sake of clarity. It’s a part of a larger struggle to achieve better vendor risk management, both to establish your own company’s regulatory compliance and to be a more attractive business partner to potential customers.
If that’s the challenge, then the company’s strategic need becomes more clear: better use of technology to deliver vendor risk management, so that security and compliance needs are fulfilled at the same time.
What should that technology be able to do? Again, a few capabilities become clear right away, when you consider the security team’s needs.
For example, you’ll need a way to map out risk assessment tasks across multiple frameworks; that avoids duplication of effort. You’ll also need an automated collection of evidence and automated reporting; that allows you to produce documentation and assurance for customers more quickly.
As much as possible, you’ll need to integrate your technology with other systems in the business, to assure that any changes in operations that might affect internal control are immediately flagged. For example, if an important control is assigned to someone who is furloughed or laid off, missing that detail can be a huge risk. At the least, your compliance technology should automatically alert you when control isn’t executed or tested in a timely manner, so managers can investigate.
Ultimately, all of this is about fitting security and compliance into the company’s broader business strategy. If you can automate compliance, and then report and demonstrate that state of compliance on demand — that reduces your own vendor and regulatory compliance risks; and makes your business a more reliable third party, and therefore a more attractive vendor to your customers, and lets the IT security team focus on more sophisticated security threats.
That’s the goal. Achieving it is neither quick nor easy, but then again, our current state of affairs isn’t quick or easy either.
Third, Address Challenges Along the Way
Perhaps the single biggest challenge to revamping security and compliance along these lines will be defining ownership of this project, especially for smaller firms. In many cases, the CISO may end up leading the work simply because nobody else has the necessary expertise. On the other hand, CISOs don’t usually have an abundance of free time — so consider how to win executive support for the idea, and then perhaps oversee a consultant or other outside contractor who moves things forward on a daily basis.
Regardless of who leads the project, another challenge will be identifying controls in the business so they can be mapped to regulatory requirements. This step is important because, without it, you can’t perform a gap analysis to see where controls don’t measure up; and without that, you can’t develop a plan for remediation.
Along similar lines, the security or compliance lead will need to work with business units to stay abreast of changes to operations after automated compliance comes to pass, so you’ll know when controls no longer work or exist.
This is especially important during the Covid-19 crisis when layoffs or furloughs might leave key duties unattended, or work-from-home mandates might introduce new risks that don’t yet have controls assigned to them. Remember: if business operations change but your controls don’t, then you’re testing something useless — and not testing something important. In the final analysis, and as we mentioned in a previous post, all of this is about investing in the company’s ability to manage risk. Making the business case for that investment isn’t easy these days, so above all frame the argument in those terms. Better security assessments aren’t a compliance exercise; they’re a fundamental part of vendor risk management. And with every passing day, that is becoming a fundamental part of business success.
Hyperproof Can Help You Automate Compliance Tasks
Hyperproof’s compliance operations platform delivers a set of capabilities designed to drastically cut down manual work in the IT compliance realm: collecting and organizing documentation, keeping evidence up to date, responding to audit requests, and more. Here are the ways in which Hyperproof can help you streamline compliance efforts and reduce manual work:
- Reduce time spent tracking down information: When you start to manage compliance tasks and documents in one place, you’re able to minimize time spent looking for information across disparate systems when it’s time to prepare for an audit or implement a new compliance framework.
In a compliance operations platform such as Hyperproof, you can document all IT compliance controls within your organization, and map the controls to the requirements within various information security standards (e.g. SOC 2, ISO 27001, NIST SP 800-53, PCI-DSS, CMMC, and others) as well as the risks your organization is tracking. You can tie evidence to specific controls. Controls can be assigned to “owners” and you can note down what type of evidence someone needs to provide to attest that a control is operational. Requests to gather proof can be initiated directly in Hyperproof and the submitted proof is tied directly to the relevant control. All of this information is documented so you won’t ever lose valuable context to do effective work.
- Minimize duplicative effort as you scale up your compliance program and adhere to multiple standards and regulations. When you use Hyperproof, you’re able to define a set of controls for your organization once, collect evidence once, and re-use the work you’ve already done to jumpstart additional compliance and audit efforts.
Requests for security assessments and audits have multiplied over time. Because different infosec frameworks often have similar requirements, it’s common for a team to duplicate effort as they attempt to fulfill multiple frameworks by creating separate sets of controls. Hyperproof automatically identifies the overlapping (or common) requirements and controls between different infosec frameworks. As such, a compliance team is able to design and manage a smaller set of controls to meet multiple compliance standards more efficiently. You can read this article to see the crosswalks we’ve already lit up.
Additional resource: Implementing a Common Controls Framework in Hyperproof
With Hyperproof, you can also re-use evidence across multiple audits. With Labels in Hyperproof, evidence files can be grouped together and put into a folder. A single piece of evidence (or a set) can be mapped to multiple controls (in a single compliance framework or in multiple frameworks). When a new proof is attached to a Label, the proof is automatically associated with all controls in that label. That means you can collect evidence once and automatically re-use it everywhere that evidence is required.
- Save time in gathering evidence by setting up automation
When you use Hyperproof, you can set it up so that proof you’re storing within various cloud storage systems — e.g. G-Drive, Dropbox, Box, Sharepoint, etc. — is automatically brought into Hyperproof. You can point Hyperproof at a certain folder directory in a system such as G-Drive and the platform will automatically pull in the newest files from the location on a daily basis.
Further, Hyperproof has integrations with cloud services (e.g., Azure, AWS) and developer tools (e.gGitHub) so you automate the collection of proof (e.g. various security settings and configurations) from these systems. We call this feature Hypersync. All proof collected through the Hypersync set-up comes with useful, auto-generated meta-data (e.g. when it was generated, the exact location proof comes from, etc.— so your auditor knows that the proof is valid.
- Collaborate with colleagues without having to switch between different systems
Hyperproof natively integrates with productivity tools such as Jira, Slack, and Microsoft Teams to support seamless communication between compliance managers and business process owners, and control operators. Compliance professionals can manage tasks in a central manner; that outside of compliance can continue to use the tools they’re already accustomed to.
Many times, controls fail because nobody knows that the control isn’t being performed or updated in a timely fashion. In Hyperproof, you can set up automated reminders to ensure that control owners are reviewing controls on a regular basis, and ensure that testing and evidence collection are happening throughout the year, rather than right before an audit.
When it’s time for an audit, you can invite your auditor directly into the Audit Module in Hyperproof and give them access to the documents you’d like them to see. This eliminates the need for compliance managers to send files to auditors separately.
- Communicating progress and your compliance posture to stakeholders
Hyperproof comes with dashboards and drill-down reports to give teams a thorough understanding of the status of each compliance program and a high-level view of their overall compliance posture. With real-time data on where things stand, teams can hone in on what remediations are needed, which controls need review, and know exactly where they need to focus their energy.
If you’d like to learn more about how automation can be applied across your compliance workflows so that you can save time and money, we’d love to answer your questions. Please don’t hesitate to reach out to us here at Hyperproof. Contact us for a personalized demo.
How to Start Automating Compliance Tasks
For further tips on how to start to automate compliance tasks and improve your cybersecurity posture, check out the following resources:
- Getting Ahead of Compliance Scalability Issues with a Compliance Operations Platform
- Three Essential Tips for Streamlining Data Security and Minimizing Redundancies
- How to Speed up Evidence Collection and Save Time On Audits
- Use Automated CrossWalks to Eliminate Duplicative Work in Meeting Multiple Compliance Frameworks
- Hyperproof’s Continuous Compliance Learning Center
Monthly Newsletter